Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #10059 (new defect)

Opened 7 months ago

Last modified 2 months ago

[PATCH] auto_complete plugin is broken by CSRF protection

Reported by: krishna Assigned to: core
Priority: normal Milestone: 2.x
Component: Plugins Version: edge
Severity: normal Keywords: CSRF plugin auto_complete
Cc:

Description

The auto_complete plugin does not work with the new CSRF protection, at least with non-cookie sessions. This patch fixes the plugin and provides tests.

I also updated the tests so that they can be run outside of a Rails project (requires that Rails is available via gems).

Attachments

auto_complete_should_work_with_CSRF_and_be_testable_outside_a_project.patch (4.5 kB) - added by krishna on 11/02/07 07:19:46.
updated_auto_complete_should_work_with_CSRF_and_be_testable_outside_a_project.patch (4.5 kB) - added by RSL on 04/02/08 22:32:17.
An updated patch which does not add the request_forgery_protection_token for GET requests

Change History

11/02/07 07:19:46 changed by krishna

  • attachment auto_complete_should_work_with_CSRF_and_be_testable_outside_a_project.patch added.

12/10/07 16:40:01 changed by sjgman9

+1

12/10/07 18:31:20 changed by fcheung

+1 from me!

(follow-up: ↓ 4 ) 12/11/07 16:53:08 changed by lifofifo

I'd probably change the code to : 

if respond_to(:protect_against_forgery?) && protect_against_forgery? 
  js_options[:parameters] = "'#{request_forgery_protection_token}=' + encodeURIComponent('#{escape_javascript form_authenticity_token}')" 
end

So that it works with 1.2.x as well.

(in reply to: ↑ 3 ) 01/14/08 06:23:33 changed by moses

+1. Not sure why you'd need to make it compatible with 1.2.x, though, because auto_complete is not a plugin in 1.2.x but is built in.

Note similarities between this bug and the one about incompatibility of the in_place_editing plugin and CSRF protection. http://dev.rubyonrails.org/ticket/10055

Replying to lifofifo:

I'd probably change the code to : {{{ if respond_to(:protect_against_forgery?) && protect_against_forgery? js_options[:parameters] = "'#{request_forgery_protection_token}=' + encodeURIComponent('#{escape_javascript form_authenticity_token}')" end }}} So that it works with 1.2.x as well.

01/31/08 18:57:29 changed by sudara

+1

This should go in unless there are unknown secret alternative javascript integration plans by the rails core folks.

02/10/08 19:57:23 changed by zsombor

Take a look at #11071 a global solution for all Ajax requests. Do you see this as preferable?

02/13/08 22:01:29 changed by redinger

+1 Just applied today and it fixed my problem.

04/02/08 22:30:11 changed by RSL

Adding a fix on that patch that doesn't add the request_forgery_protection_token if :method => "get". Not that it would check its validity on the server side but why add unneeded data?

04/02/08 22:32:17 changed by RSL

  • attachment updated_auto_complete_should_work_with_CSRF_and_be_testable_outside_a_project.patch added.

An updated patch which does not add the request_forgery_protection_token for GET requests